Secure photo carrying identification device, as well as means and method for authenticating such an identification device

ABSTRACT

Means and a method for authenticating a photographic image ( 3 ) on an identification device ( 1 ), the identification device ( 1 ) being provided with: a photographic image of a person ( 3 ) and a microprocessor ( 8 ), the microprocessor ( 8 ) having: a) a processor ( 7 ), b) a memory ( 9 ) connected to the processor ( 7 ) and having stored authentication data, and c) interface means ( 5 ) connected to the processor ( 7 ) for communicating with an external device, wherein said photographic image ( 3 ) comprises steganographically hidden information, the content of which together with said authentication data allows authentication of said photographic image ( 3 ), the method having the following steps: a′) scanning the photographic image ( 3 ) and generating image data, b′) analyzing these image data in accordance with a predetermined image analysis procedure to derive said hidden information, and c′) carrying out the authentication of the photographic image ( 3 ) based on the hidden information and the authentication data.

FIELD OF THE INVENTION

The present invention relates to a photo carrying identification device,like passports, and (credit) cards used to identify persons, andthereafter authorize them to do a predetermined action, like entering abuilding, passing a boarder, carrying out an automatic debit transactionfrom an account, etc.

BACKGROUND OF THE INVENTION

The invention relates to the use of identification (ID) documentsequipped with a picture of a document's holder, e.g., a driver'slicence, or a plastic card having the size of a credit card, or apassport. In a common use of such an ID document, a human operatorcompares the picture on the document with the face of the documentholder to assess entitlements sought by the document's holder based oncredentials as defined by additional data in the document. A passport,for instance, gives access to a country based on nationality of thedocument's holder,

A problem encountered with such documents is that they are frequentlycopied with false credentials or a false picture.

A common solution to this problem is the application of physical tamperdetection methods such a sealing foil covering both the picture and thedocument, often combined with special inspection tools, like polarizedlight, to probe the tamper detection method. However, the use of suchinspection tools often requires a skilled operator.

Another possible solution, referred to in paragraph [10002] ofEP-B1-0,539,439, to tampering with the picture attached to the IDdocument is in using smart cards provided with a microprocessor having aprocessor and a memory. The memory in the card chip stores a digitalcopy of the picture on the card. A terminal is provided to read thecontent of the memory of the chip card and to display the stored imageon a monitor to an operator. Then, the operator compares the displayedimage on the monitor with the face of the actual card holder. Thissolution may even obviate the need to attach the picture on the carditself However, this solution requires costly display equipment which,amongst other reasons, has made this solution unsuitable in particularareas of industry which offers great potential to the use of smartcards, such as public transit systems where ID smart cards are sought asefficient improvement of traditional discount passes.

A further problem encountered in ID systems is in protecting the privacyof the individual using the ID document. Especially in case such an IDdocument is realized as an electronically readable smart card protectionmay be required from uncontrolled and/or unapproved collection of dataidentifying the individual and his or her use of the smart card.

To protect the privacy of the card holder, cryptographic techniques,e.g., blind signatures, may be applied to the process of reading ID andcredential data from the smart card. However, the use of pictures storedin a card memory and read by a terminal for display on a monitor to anoperator in principle defeats such cryptographic privacy protection. Insuch a case, the terminal is not only able to collect uniquely andstrongly identifying data about individuals, i.e. their pictures, butalso the nature of this data poses an additional threat in which, forinstance, the individual may be compromised through digital imagemanipulation techniques. U.S. Pat. No. 5,748,763, column 58, line 24, tocolumn 62, line 45, describes a method and an arrangement for enhancingthe security of credit and debit cards. The arrangement disclosed has acomputer arranged for receiving a digital image of the card holder.After having analyzed the digital image the computer generates a snowyimage which is generally orthogonal to the digital image and adds thisto the digital image to render an amended, unique image. The intendedeffect is to “texturize” the original digital image. It is not necessarythat the snowy image itself is invisible to a person looking at theimage. However, the image of the card holder may not be obscured by thesnowy image. The amended, unique image is printed on the card. Moreover,the unique information is also stored in a central accounting network.

In a steganographic embodiment the snowy image is such that it is hiddenin the photographic image of the person on the card. More detailedinformation as to steganography can be found in U.S. Pat. No. 5,613,004and the references cited in this document. For the sake of the presentinvention steganography will be understood to relate to any method ofobscuring information that is otherwise in plain sight. The informationis hidden in another medium. It is used as an alternative to encryption.E.g., spreadsheets or graphics files could contain a text messageinvisible to an unaware person. People unaware of the hidden informationwill not recognize the presence of steganographically hidden informationeven if the information is in plain view.

In U.S. Pat. No. 5,748,763, referred to above, a scanner is provided toscan the card when the card holder wishes to use his card for apredetermined transaction, e.g., automatic payment from his account topay for a product. The scanner is connected to the central accountingnetwork. By means of a secure communication protocol the image of thecard scanned by the scanner is transmitted to the central network. Thecentral network is arranged to receive the transmitted information andto authenticate the validity of the image on the card.

Additional security to the known system may be provided by requestingthe card holder to input a PIN during the scanning process. Moreover,additional security is provided by letting a third party, during thescanning process, check whether or not the person trying to carry out atransaction with the card is the person who's photo is on the card.

A disadvantage of the system and method disclosed by U.S. Pat. No.5,748,763 is that it is only to operate when a central network isprovided having stored all unique images of all participating cards.

SUMMARY OF THE INVENTION

A first object of the invention is to provide a photo carryingidentification device that obviates the need for such a central network.

Therefore the invention provides an identification device provided with:

-   -   a photographic image of a person and    -   a microprocessor,    -   the microprocessor comprising:        -   a processor,        -   a memory connected to the processor and comprising            authentication data, and        -   interface means connected to the processor for communicating            with an external device;            wherein the photographic image comprises steganographically            hidden information, the content of which together with the            authentication data allows authentication of the            photographic image.

Thus, the invention provides an identification device which are providedwith a microprocessor, comprising the authentication data necessary toauthenticate the photographic image on the identification device. Inother words, the key to authenticate the photographic image is in theidentification device itself instead of in a central network.

Such an identification device may be, for instance, a passport or aplastic identification card, like a smart card.

In one embodiment of the invention the processor is arranged to carryout at least part of the authentication. To that effect the processorwill carry out a program preferably stored in the memory of themicroprocessor.

The authentication data stored in the memory of the microprocessor maybe a part of the photographic image on the identification device.However, it may also be data related to the photographic image. Forinstance, it may be related to grey level, intensity distribution, orimage entropy of the photographic image.

A second object of the invention is to provide a terminal, which isarranged to communicate with the identification device of the inventionto allow carrying out the authentication process required

In a first embodiment the invention therefore provides a terminalarranged to communicate with an identification device, theidentification device being provided with:

-   -   a photographic image of a person and    -   a microprocessor,    -   the microprocessor comprising:        -   a processor,        -   a memory connected to the processor and comprising            authentication data, and        -   interface means connected to the processor for communicating            with a terminal,            wherein the photographic image comprises steganographically            hidden information, the content of which together with the            authentication data allows authentication of the            photographic image,            the terminal being provided with:    -   a picture scanner to scan the photographic image and to generate        image data,    -   a terminal interface allowing communication with the processor        of the identification device, and    -   an image processor arranged    -   to receive the image data,    -   to analyze these image data in accordance with a predetermined        image analysis procedure to derive the hidden information,    -   to receive the authentication data from the memory, and    -   to carry out at least part of the authentication of the        photographic image based on the authentication data and the        hidden information.

In this first embodiment, the authentication of the photographic imageis either partly or entirely carried out by the image processor in theterminal.

The steps necessary to carry out said authentication will, in practice,be stored in a terminal memory. In an embodiment of the invention, theway in which these steps are carried out depends on the authenticationdata received from the memory of the identification device. In such anembodiment, the authentication carried out by the terminal will dependon data received from the identification device itself. This makes itimpossible to predict the actual authentication steps carried out by theterminal, which enhances the security.

However, the security can also be enhanced in an alternative embodimentin which the processor of the identification device itself carries outat least part of the authentication of the photographic image.Therefore, the invention also provides a second embodiment of theterminal. This second embodiment terminal is arranged to communicatewith an identification device, the identification device being providedwith:

-   -   a photographic image of a person and    -   a microprocessor,    -   the microprocessor comprising:        -   a processor,        -   a memory connected to the processor and comprising            authentication data, and        -   interface means connected to the processor for communicating            with a terminal,            wherein the photographic image comprises steganographically            hidden information, the content of which together with the            authentication data allows authentication of the            photographic image,            the processor being arranged to carry out at least part of            the authentication of the photographic image,            the terminal being provided with:    -   a picture scanner to scan the photographic image and to generate        image data,    -   a terminal interface allowing communication with the processor        of the identification device, and    -   an image processor arranged        -   to receive the image data,        -   to analyze these image data in accordance with a            predetermined image analysis procedure to derive the hidden            information, and        -   to transmit at least the hidden information to the processor            to allow the processor to carry out the at least part of the            authentication of the photographic image.

Moreover, the invention relates to a method for authenticating aphotographic image on an identification device, the identificationdevice being provided with:

-   -   a photographic image of a person and    -   a microprocessor,    -   the microprocessor comprising:        -   a processor,        -   a memory connected to the processor and comprising            authentication data, and        -   interface means connected to the processor for communicating            with an external device,            wherein the photographic image comprises steganographically            hidden information, the content of which together with the            authentication data allows authentication of the            photographic image,            the method comprising the following steps:    -   scanning the photographic image and generating image data,    -   analyzing these image data in accordance with a predetermined        image analysis procedure to derive the hidden information, and    -   carrying out the authentication of the photographic image based        on the hidden information and the authentication data

Finally, the invention relates to data carriers provided with a computerprogram and to computer programs as such for such a method.

Hereinafter, the present invention will be illustrated with reference tosome drawings which are intended to illustrate the invention and not tolimit its scope.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic drawing of the system according to the inventionshowing a smart card and a terminal;

FIG. 2 shows the functional units of the microprocessor of the smartcard in a schematic way;

FIG. 3 schematically shows how information can be hidden in aphotographic image;

FIG. 4 shows a flow diagram of the method according to the invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

FIG. 1 shows a smart card 1 provided with a photographic image 3 of thecard holder. The smart card 1 is provided with an interface 5 shown tobe made of metallic pads. However, the interface 5 may have any otherform, e.g., an antenna hidden within the smart card 1 allowing forcontactless communication with an external device.

As shown in FIG. 2, the interface 5 is connected to a card processor 7which is also connected to a card memory 9.

Returning now to FIG. 1, the smart card 1 is, preferably, provided withone or more orientation signs 2 assisting a scanner during scanning thephotographic image 3, as will be explained hereinafter.

It is observed that FIG. 1 shows a smart card 1 but that the inventionis equally applicable for other types of documents having a photographicimage of the document holder and a processor arranged to communicatewith an external device.

The smart card 1 may be inserted into and removed from an opening 14 ina terminal 11. The terminal 11 is provided with a picture scanner 13 anda connector 15.

The picture scanner 13 is arranged such that it may scan thephotographic image 3 either during insertion of the smart card 1 intothe opening 14 or alter the smart card 1 has been inserted entirely inopening 14.

The connector 15 will contact the interface 5 of the smart card 1 whenthe smart card 1 has been inserted entirely in the opening 14. Ofcourse, when interface 5 is designed in another form, e.g. an antenna,the connector 15 is to be replaced by another type of interface arrangedto communicate with interface 5.

The picture scanner 13 is connected to a processor 17 which is alsoconnected to the connector 15 and to a memory 19.

FIG. 1 also shows some input means, like a mouse 21, and a keyboard 23,allowing an operator to input data to the processor 17. A monitor 25connected to the processor 17 is provided to allow the processor todisplay necessary information to the operator. Of course, any other kindof display means may be provided instead of or in addition to monitor25.

In an alternative embodiment of the terminal shown in FIG. 1, theprocessor 17 is provided as a processing unit within the picture scanner13. Then, the picture scanner 13 is directly connected to connector 15(or any other interface) by a direct link indicated with reference sign16.

FIG. 3 schematically shows that the photographic image 3 is providedwith additional information 4. The additional information 4 is added tothe photographic image 3 such that it is invisible to the human eye.Moreover, the additional information 4 may have such small dimensionsthat it is virtually impossible to be detected by automatic scanners ifthey do not know where to look for the additional information. Theadditional information 4 is added to the photographic image 3 by usingsteganographic techniques which are known to persons skilled in the art.

It is observed that, in FIG. 3, the additional information 4 is shown onsuch an enlarged scale that it is visible but in practice it will not bevisible to the human eye. Moreover, in a preferred embodiment, theindividual dots of information 4 are distributed over the entire image 3to make it more difficult to find them.

The additional information 4 may have no relation at all to the contentof the photographic image 3. However, the photographic image 3 beforebeing printed on the smart card 1 may be preprocessed in such a way thatthe additional information 4 is calculated in dependence on the contentof the photographic image 3 such that the degree to which it is hiddenin the photographic image 3 is as best as possible.

In accordance with the present invention, the card memory 9 is providedwith authentication data. The content of this authentication data,together with the hidden information 4 allows authentication of thephotographic image 3.

In its simplest form, the authentication data has a one to one relationto the hidden information 4. However, the hidden information 4 may bepresent within the photographic image 3 in cryptographically processedform, e.g., it may be provided with a cryptographic signature such thatthe validity of the hidden information 4 can only be checked by anapparatus knowing the key to the cryptographic signature. Such a key is,then, stored in the card memory 9.

The hidden information 4 is such that it can be recognized bydigitization of the photographic image 3 even if it is incomplete orotherwise impaired. The hidden information may have the form of adigital watermark.

Checking the validity of the hidden information may be based on any kindof calculation using both the hidden information 4 and theauthentication data in the card memory 9.

As shown in FIG. 4, in order to allow for authentication, the cardholder has to insert his or her smart card 1 into the opening 14 of theterminal 11. During insertion or after completing the insertion, thepicture scanner 13 scans the photographic image 3, while interfaces 5and 15 may communicate with one another. The orientation signs 2 mayassist the picture scanner 13 in detecting where to search for thehidden information 4. The picture scanner 13 processes the photographicimage 3 and generates image data which is sent to the processor 17, step30.

The processor 17 digitally processes the received image data, as well asthe authentication data stored in the card memory 9 in accordance with apredetermined program. In accordance with the predetermined program,which is preferably stored in memory 19, the processor 17 separates thehidden information 4 from the photographic image 3, step 32, and usesthe hidden information 4 to establish the authenticity of thephotographic image 3, step 34.

The authentication data received from the smart card 1 may be protectedwith any cryptographic means known to persons skilled in the art.Additionally, the data may be provided with a digital signature.

The authentication process carried out by the processor 17 may depend onthe authentication data received from the smart card 1 in such a waythat for different authentication data a different authenticationprocess is carried out. This further enhances security.

In an alternative embodiment, instead of the processor 17 in theterminal 11, the card processor 7 is arranged to carry out theauthentication process. To that end, it receives the hidden information4 by means of the terminal 11.

However, since the card processor 7 and its memory 9 will only have alimited capacity, in practice, it will be preferred that both theprocessor 17 of the terminal 11 and the card processor 7 carry out partof the authentication process. The card processor 7 may, for instance,perform a final authentication step of the authentication process.

In a further embodiment the card memory 9 may be provided withcredential data, i.e., data indicating predetermined actions the cardholder is allowed to do, e.g., entering a building or an area, debitingan account, etc. In that case, the card processor 7 is, preferably,arranged to transmit these credential data to the processor 17 only whenits own part of the authentication process has been carried outsuccessfully. Thus, by receiving the credential data the processor 17 isinformed that the authentication steps carried out by card processor 7did not find any problems. When it does not receive the credential datathe processor 17 knows that the authentication process has beenunsuccessful.

To further enhance the security, the authentication data stored in cardmemory 9 may be related to one or more specific or generalcharacteristics of the image 3 itself, like grey level, intensitydistribution or image entropy. These parameters will be derived by thepicture scanner 13 and transmitted to the processor 17. These parametersmay be used by the processor 17 during the authentication process.However, in order to further enhance security, these parameters may bepassed through the processor 17 to the card processor 7 which uses oneor more of these parameters during carrying out its authenticationsteps.

Instead of the picture scanner 13 establishing the value of one or moreof these parameters, these parameters may be digitally stored in thephotographic image 3. The digitized value of these parameters may havebeen printed after being encoded. Before these digitized values of theseparameters are added to the photographic image 3 they may be encoded.

In the embodiment described above, the terminal 11 is shown to include amemory 19. As is evident to persons skilled in the art memory 19 maycomprise any kind of memory type like RAM, ROM, EPROM, EEPROM, etc. orany combination thereof. For the purpose of the present invention thememory 19 need not necessarily be physically located within the terminal11.

Moreover, the processor 17 is shown to be one block. However, ifpreferred, the processor 17 may be implemented as several subprocessorscommunicating with one another each dedicated to perform a predeterminedtask. Preferably, the processor 17 is (or the subprocessors are)implemented as a computer with suitable software. However, if desired,they may be implemented as dedicated digital circuits.

The method in accordance with the present invention is preferablyimplemented by suitable software. This software may be distributed bydata carriers like CDROM's or through the Internet or any other datacommunication medium.

1. An identification device comprising: a photographic image of aperson; and a microprocessor, the microprocessor comprising: aprocessor, a memory connected to the processor and comprisingauthentication data, and interface means connected to said processor forcommunicating with an external device, wherein said photographic imagecomprises stenanographically hidden information, the content of whichtogether with said authentication data allows authentication of saidphotographic image, wherein the microprocessor is arranged to carry outat least part of the authentication.
 2. The identification deviceaccording to claim 1, wherein said memory includes credential data andthe microprocessor is arranged to transmit the credential data to theexternal device only when the microprocessor has carried out at leastpart of the authentication successfully.
 3. The identification deviceaccording to claim 1 or 2, wherein said processor is arranged to carryout at least part of said authentication.
 4. The identification deviceaccording to claim 1 or 2, wherein said hidden information is providedwith a cryptographic signature.
 5. The identification device accordingto claim 1, wherein said authentication data is at least partly relatedto a feature of the photographic image.
 6. The identification deviceaccording to claim 1, wherein said hidden information is related to afeature of the photographic image.
 7. The identification deviceaccording to claim 5 or 6, wherein said feature is at least one of graylevel, intensity distribution, and image entropy.
 8. A terminal arrangedto communicate with an identification device, said identification devicecomprising: a photographic image of a person; and a microprocessor, themicroprocessor comprising: a processor, a memory connected to theprocessor and comprising authentication data, and interface meansconnected to said processor for communication with a terminal, whereinsaid photographic image comprises stenanographically hidden information,the content of which together with said authentication data allowsauthentication of said photographic image and the microprocessor isarranged to carry out at least part of the authentication of thephotographic image, said terminal including: a picture scanner to scanthe photographic image and to generate image data, a terminal interfaceallowing communication with said processor of the identification device,and an image processor arranged to receive said image data to analyzethe image data in accordance with a predetermined image analysisprocedure to derive said hidden information, and to transmit at leastthe hidden information to the processor to allow the processor to carryout the at least part of the authentication of the photographic image.9. The terminal according to claim 8, wherein said authenticationcomprises a set of predetermined steps stored in a terminal memory, theway in which said steps are carried out depending on said authenticationdata received from said memory of said identification device.
 10. Aterminal according to claim 8, wherein the image processor is arrangedto carry out a further part of the authentication of the photographicimage only when it has received credential data from the microprocessor.11. The terminal according to claim 8, 9, or 10, wherein said terminalhas an opening for receiving said identification device, both saidpicture scanner and said terminal interface being located within saidopening.
 12. The terminal according to claim 8 or 10, wherein said imageprocessor is integrated within said picture scanner.
 13. A method forauthenticating a photographic image on an identification device, saididentification device comprising: a photographic image of a person; anda microprocessor, the microprocessor comprising: a processor, a memoryconnected to the processor and comprising authentication data, andinterface means connected to said processor for communicating with anexternal device, wherein said photographic image comprisesstenanographically hidden information, the content of which togetherwith said authentication data allows authentication of said photographicimage, said method comprising the following steps: scanning thephotographic image and generating image data, analyzing the image datain accordance with a predetermined image analysis procedure to derivesaid hidden information, and carrying out said authentication of saidphotographic image based on said hidden information and saidauthentication data, wherein the microprocessor performs at least partof the authentication.
 14. A data carrier provided with a computerreadable program for a method for authenticating a photographic image onan identification device, said identification device comprising: aphotographic image of a person; and a microprocessor, the microprocessorcomprising: a processor, a memory connected to the processor andcomprising authentication data, and interface means connected to saidprocessor for communicating with an external device, wherein saidphotographic image comprises stenanographically hidden information, thecontent of which together with said authentication data allowsauthentication of said photographic image, said method comprising thefollowing steps: scanning the photographic image and generating imagedata, analyzing the image data in accordance with a predetermined imageanalysis procedure to derive said hidden information, and carrying outsaid authentication of said photographic image based on said hiddeninformation and said authentication data, wherein the microprocessorperforms at least Dart of the authentication.
 15. A computer programproduct for a method for authenticating a photographic image on anidentification device, said identification device comprising: aphotographic image of a person; and a microprocessor, the microprocessorcomprising: a processors, a memory connected to the processor andcomprising authentication data, and interface means connected to saidprocessor for communicating with an external device, wherein saidphotographic image comprises stenanographically hidden information, thecontent of which together with said authentication data allowsauthentication of said photographic image, said method comprising thefollowing steps: scanning the photographic image and generating imagedata, analyzing the image data in accordance with a predetermined imageanalysis procedure to derive said hidden information, and carrying outsaid authentication of said photographic image based on said hiddeninformation and said authentication data, wherein the microprocessorperforms at least part of the authentication.